The View of an Internal Auditor on Restoring Trust in Audit and Governance. 

1^st May.

There has been a loss of confidence in the external audit industry.  There have been too many failures and with increased focus on the leading firms, action needed to be taken.

Quoting from the ICAEW, the “BEIS see corporate governance as a balanced system where directors, audit committees and auditors all play an important part alongside the regulator. But it is this wider impact that has attracted most attention in the press and where debate is likely to be strongest. The key question is whether the proposals will achieve what government wants from reform, and if not, what would be better?

BEIS will establish new responsibilities in UK company law and enforcement powers for the UK regulator, but this has international implications too. The proposals include a potential requirement for directors to attest to the effectiveness of internal control, based closely on the US Sarbanes-Oxley Act (SOX), introduced in 2002 following the Enron failure. Many elements of SOX have already been influential internationally, but it is a significant move for the UK to be considering adopting this central element of the SOX package.”

The BEIS paper proposes three options to achieve stronger company internal control:

• Option 1: Directors’ statement on the effectiveness of internal control/risk management;
• Option 2: Auditors say more about control effectiveness in existing reports; or
• Option 3: Option 1 with the addition of auditor attestation.

Where are we now?

The independent auditor’s report currently describes the work the auditor has undertaken to properly understand the company’s internal control systems and then state how that work has influenced the audit.  However, at present no formal external audit opinion on the internal controls’ effectiveness are required.

There is an increased general concern regarding fraud deterrence controls operating within businesses and the BEIS is seeking to enhance independent oversight of this process.   Amongst the options for doing this are that external auditors of Public Interest Entities, as part of their statutory audit, report how they concluded that the directors’ statement on action taken to prevent and detect fraud is accurate. The external auditors should report on the steps they have then taken to detect any material fraud and assess the effectiveness of relevant controls.

CP 382 from the BEIS

CP 382 from the Department for Business, Energy and Industrial Strategy, entitled “Restoring trust in audit and corporate governance – Consultation on the Government’s proposals” has a closing date for comments on 8^th July 2021. Having read this consultation paper, I applaud the recognition that new reporting and attestation requirements are needed covering internal controls, dividend and capital maintenance decisions and resilience planning. All of this is designed to sharpen directors’ scrutiny and accountability, as well as that of their external auditors.

After Patisserie Valerie called in administrators in 2019, I expressed my concerns regarding how the mis-statement losses had been overlooked. Its parent company Board, Patisserie Holdings had said that ‘The work carried out by the company’s forensic accountants has revealed that the mis-statement of its accounts was extensive, involving very significant manipulation of the balance sheet and profit and loss accounts. Among other manipulations, this involved thousands of false entries into the company’s ledgers.’

The consultation paper cites the insolvencies of BHS (unlisted) in 2016, Carillion (London Stock Exchange listed) in 2018, as well as Patisserie Valerie (AIM) in 2019. The pattern over decades, has been of too many companies that have had to belatedly issue a series of profit warnings before they collapsed, owing creditors (including unsuspecting employees) very large sums of money. It is extremely rare that things go badly wrong in just one year; later investigations normally reveal a history of cut-off errors or subjective judgments that have favoured the reported profits of those earlier years.

So change is required within external audit to increase the level of challenge.  Joint audits are proposed, but these also result in concerns.  The two teams really need to work effectively together, or the risk exists that some matters will fall between the two audits.  Increasing the pool of auditors capable of undertaking major audits is clearly important, but improved oversight of their activities is also required.

What does this mean for Internal Audit?

Unless the internal auditors too, thoroughly audit the financial statement production process and its output, we also remain hostages to fortune as the cases of Patisserie Valerie, Carillion plc. and many others have demonstrated.

The current obligatory internal control framework for UK companies is weak and vague. One issue is that internal controls that were properly designed and appeared to have been operating effectively for years, may be later found to be either defective or too easily circumvented potentially resulting in corporate failure. Therefore, false assurance may have been provided over time and relied upon by the Board and others.  It needs to be recognised that controls that are designed to prevent manifest error may not be as effective in detecting and preventing fraud, and that management collusion can make the role of both internal and external audit more complex to complete effectively.

Change is Needed

One of my very strongly held views based on experience as an external auditor, internal auditor and financial services approved person dealing with companies that have experienced major control failures, is that it is more likely in established companies to be control circumvention that exposes a company to poor accounting and fraud rather than weak controls.

Internal auditors collectively need to get better at challenging the financial statements’ controls, including thorough fraud risk management assessment and testing. Fraud risk deterrence auditing and prevention goes beyond identifying warning signs.  It is as concerned over control override and manual intervention as identifying poorly designed or “ineffective” controls. If controls are effective 99.9% of the time, this is not enough to stop the fraud that occurs at the rate of 1 transaction in every 1,000 (0.1%). Such frauds may be cynically targeted at specific control points and can be supported by manipulation of audit trails. Even if internal audit were to test to confidence levels of 98 or 99%, would they expect to detect all large frauds? Particularly if the audit trail has been obscured.

This leads to the use of Artificial Intelligence techniques by the business, checking 100% of transactions and identifying transactions warranting additional investigation. Internal auditors need to see that such approaches have been properly integrated into 1^st line routines, conducting such additional work as they require to meet their extending obligations.

Fraud risk management differs from other operational risk management in its scope and complexity. Many cases have targeted weaknesses within structures and management supervision.  This is also combined with creation of fake records and the systematic and calculated destruction or amendment of audit trails.

So internal auditors need to put the detection and deterrence of fraud at the center of their audit work.  Even if it is not found, error and more benign control breaches or omissions may still be identified. Further, whenever controls appear to have failed, internal auditors need to keep digging until the root cause of the problem is identified.

Beyond consideration of inherent fraud risks in each of the company or sector activities (and products) and testing the related controls, what are the other elements of fraud auditing? Amongst the various issues to consider, internal auditors need to address:

1. the management and reporting of errors, exceptions, outliers and warning signs, together with cases where there is retrospective transaction or static data approval,
2. belated correction of errors and their investigation through independent root cause analysis,
3. detailed analysis by relevant senior management of internal audit and internal investigation reports,
4. proper understanding and reporting of reconciliation analysis and suspense account re-allocations,
5. taking whistleblowing reports seriously.

Furthermore, I am not alone in finding that Benford’s Law analyses may be very efficiently applied across whole data sets, to search for anomalies and data patterns that are unnatural, and which may indicate suspicious activity. This may be much more reliable than traditional control compliance testing based upon relatively small samples. Not only can this analysis be truly effective and insightful, but it has been recommended by the Association of Certified Fraud Examiners for twenty-five years or more. [2]

There is a good opportunity with this consultation to address internal controls and its subset of “internal financial controls. If the Directors’ Statement could cover all aspects of the company’s internal control and risk management procedures, I believe this is preferable to it being restricted to “the internal controls over financial reporting.” Most key controls have potential financial consequences, whether or not they are defined as “internal financial controls.”

The FRC evidence in the consultation paper, a pervasive presumption historically made by external auditors that fraudulent financial reporting is unlikely to arise and that as a consequence, fraud deterrence external audit procedures have been largely seen as a compliance exercise.

Perhaps this in some way explains some of the past failures to detect serious accounting misstatements and fraud as it built up over time and before it accumulated to catastrophic levels. The supporting Brydon Review finding that external auditors’ skillset needs to change radically, and that forensic accounting training must therefore become a part of both their qualification and continuous development, is entirely logical. I strongly believe that this is necessary but not sufficient and quality assurance over the assessment of internal financial controls should also be significantly tightened. For the relative importance of financial statement fraud, I refer to the ACFE: “2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc. [1]”: –

This report studied the costs and effects of occupational fraud. Amongst its findings was that, of the three categories of occupational fraud, financial statement fraud schemes were the least common (10% of schemes) but by far the costliest category: –

Asset misappropriation fraud             most cases                  median loss $100,000

Corruption                                                                              median loss $200,000

Financial statement fraud                  10% of cases               median loss $954,000

Owners/ executives accounted for only 20% of the frauds in their study but the median loss in those cases (USD 600,000) far exceeded the losses caused by managers and employees. Fraud losses tend to rise in line with authority levels and it is suggested that owners/ executives are generally in a better position to override controls than their lower-level counterparts and often have greater access to an organization’s assets.

The Association of Certified Fraud Examiners found that four anti-fraud controls were associated with a 50% or greater reduction in both fraud losses and duration:

• a code of conduct;
• an internal audit department;
• management’s certification of financial statements; and
• regular management review of internal controls, processes, accounts, or transactions.

This consultation may be internal audit’s best opportunity to be instrumental in long lasting improvements in various governance and financial reporting duties. Importantly, in supporting rigorous annual reviews of the effectiveness of company’s internal controls, external auditor’s opinions on those controls (including dividend and capital maintenance reporting and attestation requirements) is likely to need to rely increasingly in the cost-effective work of the internal auditors as part of the revised IIA 3 lines model.

Specifically this is a chance to mandate, for the first time, thorough and consistent fraud deterrence testing for both internal and external auditors and to get to grips with the risk and other indicators of control override and circumvention.

If forensic accounting training can also be a requirement, it should extend beyond the simple design of anti-fraud controls.  It needs to be combined with strong quality assurance over the assessments of internal financial controls, so that external and internal auditors in the future will be far better equipped to unearth financial statement fraud.

The risk to auditors demonstrated by the likes of Patisserie Valerie again highlights that that uncovering fraud is increasingly seen as being a primary role of auditors, whether internal or external.  No longer can they argue that they are looking in the past and we are not set up to look for fraud.

Society is looking for the providers or assurance to add real value to the maintenance of all of the assets of the company, whether in the financial statements or not and increasingly to provide real assurance as to the reliability of management representations and reporting.  As internal auditors we should all welcome and embrace the consequent change in our roles and play an active part in the transition.

With thanks to the Association of Certified Fraud Examiners, Inc. for: –

[1] 2020 Report to the Nations. Copyright 2020 by the Association of Certified Fraud Examiners, Inc.

[2]: Using Benford’s Law to detect fraud.

https://www.acfe.com/uploadedFiles/Shared_Content/Products/Self-Study_CPE/UsingBenfordsLaw_2018_final_extract.pdf

Copyright © John Webb 2021